News

Passwords (Part 1)

September 2nd, 2014

Or, how computer people have lied to you for years without your knowing.

Today, everybody has (or wants) a password. There’s one for your PC, your email, your bank, your shopping, your social media. They’re everywhere. And there are all these rules. You have to use a capital letter, and a number, a symbol, and it has to be 8 characters long, and you have to change it every 90 days, and you can’t use your dog’s name, and you can’t spell any words and and and and and….

And what happens is, nobody can remember their password, so they write them down on a piece of paper and stick it to the monitor, defeating the purpose of the password. Or, everyone saves their passwords in their browser cookies so they don’t have to type them in; because let’s face it, nobody wants to (or typically can) remember “6$bR0*q@”. Which is fine, as long as someone doesn’t come into your office, or access your files to see the passwords.

So what’s the answer? We’ll get there. First, let’s look at the “why” the rules are set the way they are, so we can see about avoiding this problem without making it worse.

Passwords are complex because computers are fast. When you log into a site, your system sends an encrypted version of your password to the server. If that encrypted version matches what the server has, then you’re allowed to log in. If not, then you get the “login unsuccessful” message.

Most of the time, the system you’re logging into is not on the same machine as you are, so your encrypted password is sent over the internet, where other people can snag a copy of it. They can then try various combinations of passwords, to see if they generate the same encrypted version as you did. If so, then they’ve figured out your password. So, the classic line of defense is to require the password to be complex.

The “typical” secure password rule set (must be 8 characters, must contain mixed case letters, numbers, and symbols) has roughly 10^16 possible combinations. That will take a while for most computers to dig through, so it’s considered “secure enough”. And today, it is. However, as computers get faster, the password complexity requirements are going to go up, making passwords even harder to remember.

Which is the wrong way to do it.

What if I could show you a way to make a complex password that is easy to remember?

Which of these is easier to remember: “r$bRO*q@” or “My dog is named Spot.” ? Which one is more difficult for a computer to figure out?

The answer to both questions is: the second one. Both passwords have 3 of the 4 categories for “complexity”, but the second password phrase has roughly 10^39 possible options. At current technology levels, it will take roughly 3 days to break the first, and 5 sextillion years (5,000,000,000,000,000,000,000 years) to crack the second password. And if we’d thrown a number into the mix (giving it all 4 options), then the time for the second would’ve jumped to 94 sextillion years. (See http://howsecureismypassword.net for more estimates on time to guess passwords.)

So why is the second one so much harder for the computer to calculate?

It’s because of the length of the phrase. Having 21 characters in the phrase makes the password significantly harder to guess. However, having a common sense phrase makes it easy to remember. Plus, the complexity in the password makes sense. After all, you’re supposed to capitalize the first word of the sentence, any proper names, and put a period at the end.

As an added plus, you can safely leave notes on your desk / monitor about your password, and not have to worry about other people guessing it.

Password Hint/ Note Password Approximate Time to Guess
Dog’s name My dog is named Spot. 5 sextillion years
Special Day May 3, 2013 7 thousand years
Wedding Anniversary September 25, 1999 178 quadrillion years
Car? Color year type? Blue 2009 Toyota Rav4 94 sextillion years

So finding a good phrase works better than a cryptic jumble that can’t be remembered.

Sign up for the Solutions Newsletter